Anyone running openssh, providing users with shell access via ssh, with UseLogin Yes set in /etc/ssh/sshd_config (or /etc/sshd_config, or /usr/local/etc/sshd_config, depending upon layout) should immediately change that line to UseLogin No and send a HUP to sshd.

Details will follow, once announced.

Wasn't this problem announced last year?

http://www.ciac.org/ciac/bulletins/k-058.shtml

No, this is a new bug.

It would be good if you post something back it up.
Commenting it out has same affect?

cp,

mine was commented
#UseLogin no

so either way i'm safe, correct?

As I said before, I'll add details once the official announcements come out. The default for openssh is UseLogin No (the line is included, commented out, in sshd_config just for informational purposes, if no UseLogin line is found sshd will use No), so unless you (or a control panel you've installed) has changed that you are safe.

The deafult for Redhat boxes is the commented line
#UseLogin no

So that would make all of us safe.

Have a great day :)

regards
amar

Originally posted by bobcares
The deafult for Redhat boxes is the commented line
#UseLogin no

So that would make all of us safe.


All? Some people don't run default Redhat installs, you know. And that includes almost anyone concerned about security.

i always rpm -e default rh stuff

Details, as promised:

From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>

FreeBSD-SA-01:63 Security Advisory
FreeBSD, Inc.

Topic: OpenSSH UseLogin directive permits privilege escalation

Category: core/ports
Module: openssh
Announced: 2001-12-02
Credits: Markus Friedl <markus@OpenBSD.org>
Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2001-12-03 00:53:28 UTC (RELENG_4)
2001-12-03 00:54:18 UTC (RELENG_4_4)
2001-12-03 00:54:54 UTC (RELENG_4_3)
2001-12-02 06:52:40 UTC (openssh port)
FreeBSD only: NO

I. Background

OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use. Versions of OpenSSH are
included in the FreeBSD ports collection and the FreeBSD base system.

II. Problem Description

OpenSSH includes a feature by which a user can arrange for
environmental variables to be set depending upon the key used for
authentication. These environmental variables are specified in the
`authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
user's home directory on the server. This is normally safe, as this
environment is passed only to the user's shell, which is invoked with
user privileges.

However, when the OpenSSH server `sshd' is configured to use
the system's login program (via the directive `UseLogin yes' in
sshd_config), this environment is passed to login, which is invoked
with superuser privileges. Because certain environmental variables
such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
described feature, the user may arrange for login to execute arbitrary
code with superuser privileges.

All versions of FreeBSD 4.x prior to the correction date including
FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem.
However, the OpenSSH server is configured to not use the system login
program (`UseLogin no') by default, and is therefore not vulnerable
unless the system administrator has changed this setting.

In addition, there are two versions of OpenSSH included in the
ports collection. One is ports/security/openssh, which is the
BSD-specific version of OpenSSH. Versions of this port prior to
openssh-3.0.2 exhibit the problem described above. The other is
ports/security/openssh-portable, which is not vulnerable, even if the
server is set to `UseLogin yes'.

III. Impact

Hostile but otherwise legitimate users that can successfully
authenticate using public key authentication may cause /usr/bin/login
to run arbitrary code as the superuser.

If you have not enabled the 'UseLogin' directive in the sshd
configuration file, you are not vulnerable to this problem.

IV. Workaround

Doing one of the following will eliminate the vulnerability:

1) Configure sshd to not use the system login program. Edit the
server configuration file and change any `UseLogin' directives
to `UseLogin no'. This is the preferred workaround.

2) If for whatever reason, disabling `UseLogin' is not possible,
then one can instead disable public key authentication. Edit the
server configuration file and change any `RSAAuthentication',
`DSAAuthentication', or `PubKeyAuthentication' directives
to `RSAAuthentication no', `DSAAuthentication no', and
`PubKeyAuthentication no', respectively.

For sshd included in the base system (/usr/bin/sshd), the
server configuration file is `/etc/ssh/sshd_config'. For sshd
from the ports collection, the server configuration file is
`/usr/local/etc/sshd_config'.

After modifying the sshd configuration file, the sshd daemon must be
restarted by executing the following command as root:

# kill -HUP `cat /var/run/sshd.pid`

V. Solution

1) Upgrade the vulnerable system to 4.3-RELEASEp21, 4.4-RELEASEp1, or
4.4-STABLE after the correction date, or patch your current system
source code and rebuild.

2) FreeBSD 4.x systems prior to the correction date:

The following patch has been verified to apply to FreeBSD
4.3-RELEASE, 4.4-RELEASE, and 4.4-STABLE dated prior to the
correction date. It may or may not apply to older, unsupported
versions of FreeBSD.

Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch.asc

Execute the following commands as root:

# cd /usr/src/crypto/openssh
# patch < /path/to/sshd.patch
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install

[snip details on binary upgrades and ports collection in order to fit within 10K characters]

VI. Correction details

Path Revision
Branch
- -------------------------------------------------------------------------
src/crypto/openssh/session.c
HEAD 1.18
RELENG_4 1.4.2.11
RELENG_4_4 1.4.2.8.4.1
RELENG_4_3 1.4.2.8.2.1
src/crypto/openssh/version.h
HEAD 1.9
RELENG_4 1.1.1.1.2.7
RELENG_4_4 1.1.1.1.2.5.2.1
RELENG_4_3 1.1.1.1.2.4.2.1
ports/security/openssh/Makefile 1.79
- -------------------------------------------------------------------------

For OpenSSH included in the base system, there is a version string
indicating which FreeBSD localizations are available. The following
table lists the version strings for each branch which include this
security fix:

Branch Version string
- -------------------------------------------------------------------------
HEAD OpenSSH_2.9 FreeBSD localisations 20011202
RELENG_4 OpenSSH_2.9 FreeBSD localisations 20011202
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20011202
RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20011202
- -------------------------------------------------------------------------

To view the version string of the OpenSSH server, execute the following
command:

% /usr/sbin/sshd -\?

The version string is also displayed when a client connects to the
server.

VII. References

<URL:http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c#rev1.110>